COMMAND

    cgiwrap

SYSTEMS AFFECTED

    Systems running cgiwrap-3.5 and 3.6beta1

PROBLEM

    Duncan  Simpson  found  spotted  a  code  fragmen that allocated a
    static  buffer  and  printed  an  arbitary  lenght  string  in it.
    Exploits  probably  require  one  to  create  a file with the name
    contiaining shellcode  but that  should not  be a  serious problem
    (/ means new dir and \0 does not happen).

SOLUTION

    Here is a patch:

    diff -ur cgiwrap-3.6beta1/util.c cgiwrap-3.6beta1-fixed/util.c
    --- cgiwrap-3.6beta1/util.c     Tue Nov 18 04:51:05 1997
    +++ cgiwrap-3.6beta1-fixed/util.c       Sun Dec  7 00:15:27 1997
    @@ -282,7 +282,7 @@

            if (!(fileStat.st_mode & S_IXUSR))
            {
    -               sprintf(tempErrString, "Script is not executable. Issue chmod 755 %s", scriptPath);
    +               snprintf(tempErrString, 254, "Script is not executable. Issue chmod 755 %s", scriptPath);
                    MSG_Error_ExecutionNotPermitted(tempErrString);
            }

    which should apply cleaning to 3.5 as well. (The patch is  against
    3.6beta1 as you can see). The maintainer has been informed.